CS2: A Searchable Cryptographic Cloud Storage …seny/slides/CS2.pdfCS2: A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom

CS2: A Searchable Cryptographic Cloud

Storage System

Seny Kamara (MSR)

Charalampos Papamanthou (UC Berkeley)

Tom Roeder (MSR)

Cloud Computing

o Main concern

o will my data be safe?

o will anyone see it?

o can anyone modify it?

o Security solutions

o VM isolation

o Single-tenant servers

o Access control

o …

o Cloud provides stronger security than self-hosting [Molnar-Schecter-10]

o Q: but what if I don’t trust the cloud operator?

Cloud Computing

Cloud Storage

?

Traditional Approach

?

AEncK AEncK

AEncK AEncK

AEncK

o File-based access is hard (esp. for large data)

o Search-based access is preferred o Web search

o Desktop search

o Apple Spotlight, Google Desktop, Windows Desktop

o Enterprise search

Search-based Access

Two Simple Solutions to Search

?

Large comm. complexity

id2

Large local storage

Q: can we achieve the best of both?

AEncK

AEncK

AEncK

AEncK

o Motivation

o CS2 building blocks o Symmetric searchable encryption

o Search authenticators

o Proofs of storage

o CS2 Protocols o for standard search

o for assisted search

o Experiments

Outline

CS2 Building Blocks

Searchable Symmetric Encryption [SWP01]

tw

EncK EncK

EncK

o [Goldreich-Ostrovsky-96] o : hides everything

o : interactive

o [Song-Wagner-Perrig-01] o : non-interactive

o : static, linear search time, leaks information

o [Goh03, Chang-Mitzenmacher-05] o : non-interactive, dynamic

o : linear search time, non-adaptive security (CKA1-security)

o [Curtmola-Garay-K-Ostrovsky-06] o : non-interactive, sub-linear search (optimal), adaptive security

o : static

Searchable Symmetric Encryption

We need new SSE!

Proofs of Storage [ABC+07, JK07]

C

π

o [ABC+07,JK07,SW08,DVW09,AKK09] o : efficient

o : static

o [APMT08] o : efficient and dynamic

o : bounded verifications

o [EKPT09] o : efficient, dynamic, unlimited verification

o : patented

Proofs of Storage

We need new PoS!

Search Authenticator

𝑤

π

o [GGP10,CVK10,CVK11] o : general-purpose

o : inefficient (due to FHE) & static

o [CRR11] o : general-purpose, efficient

o : requires two non-colluding clouds

o [BGV11]

o : proof generation is linear & static

Search Authenticators

We need new VC/SA!

o Motivation



o Proofs of storage



o Experiments

Outline

GOOG

IBM

AAPL

MSFT

SSE-1 [CGKO06]

MSFT

GOOG

AAPL

IBM

F2 F10 F11

F2 F8 F14

F1 F2

F4 F10 F12

1. Build inverted/reverse index

F11 F8 F2 F10

F1 F4 F12 F10

F2 F2 F14 #

2. Randomly permute array & nodes

Posting list

GOOG

IBM

AAPL

MSFT

GOOG

IBM

AAPL

MSFT

SSE-1 [CGKO06]

F11 F8 F2 F10

F1 F4 F12 F10

F2 F2 F14 #

2. Randomly permute array & nodes

3. Encrypt nodes

SSE-1 [CGKO06]

3. Encrypt nodes

4. ‚Hash‛ keyword & encrypt pointer

GOOG

IBM

AAPL

MSFT

FK(GOOG) Enc(•)

FK(IBM) Enc(•)

FK(AAPL) Enc(•)

FK(MSFT) Enc(•)

o Non-adaptively secure ⇒ adaptive security

o Idea #1 [Chase-K-10]

o replace encryption scheme with symmetric non-committing encryption

o only requires a PRF + XOR

o : doesn’t work for dynamic data

o Idea #2

o Use RO + XOR

Limitations of SSE-1

o Static data ⇒ dynamic data

o Problem #1:

o given new file FN = (AAPL, …, MSFT)

o append node for F to list of every wi in F


MSFT

GOOG

AAPL

IBM

F2 F10 F11

F2 F8 F14

F1 F2

F4 F10 F12

FN

FN

FK(GOOG) Enc(•)

FK(IBM) Enc(•)

FK(AAPL) Enc(•)

FK(MSFT) Enc(•)

1. Over unencrypted index

2. Over encrypted index ???


o Problem #2:

o When deleting a file F2 = (AAPL, …, MSFT)

o delete all nodes for F2 in every list


MSFT

GOOG

AAPL

IBM

F2 F10 F11

F2 F8 F14

F1 F2

F4 F10 F12 FK(GOOG) Enc(•)

FK(IBM) Enc(•)

FK(AAPL) Enc(•)

FK(MSFT) Enc(•)

1. Over unencrypted index

2. Over encrypted index ???


o Idea #1

o Memory management over encrypted data

o Encrypted free list

o Idea #2

o List manipulation over encrypted data

o Use homomorphic encryption (here just XOR) so that pointers can be updated obliviously

o Idea #3

o deletion is handled using an ‚dual‛ SSE scheme

o given deletion/search token for F2 , returns pointers to F2 ‘s nodes

o then add them to the free list homomorphically


o Motivation

o Related work & our approach



o Proofs of storage



o Experiments

Outline

o Inefficient ⇒ practical

o Idea #1

o Design special-purpose scheme (i.e., just for verifying search)

o Idea #2

o Use Merkle Tree ‚on top‛ of inverted index

o For keyword w: we efficiently verify its posting list and associated files

o Generating proof is O(w*) instead of O(n)

o Static ⇒ dynamic

o Idea #1

o Replace bottom hash with incremental hash o [Bellare-Goldreich-Goldwasser94, Bellare-Micciancio97]

Limitations of Verifiable Computation


F2

F10

F11

F2

F8

F14

F1

F2

F4

F10

F12

MSFT GOOG AAPL IBM

IH IH IH IH

MSFT

GOOG

AAPL

IBM

F2 F10 F11

F2 F8 F14

F1 F2

F4 F10 F12

1. Build inverted/reverse index

2. Build Merkle tree w/ IH at leaves

Problem: hash functions are not hiding!


MSFT GOOG AAPL IBM

IH IH IH IH

2’. Build Merkle tree w/ IH at leaves over encrypted files

Problem: server has file encryptions so he can 1. IH a set of files 2. check result against a leaf hash 3. determine if files contain common keyword


MSFT GOOG AAPL IBM

IH IH IH IH

2’’. Build Merkle tree w/ IH at leaves over keyed hash of encrypted files

Problem: server has file encryptions so he can 1. IH a set of files 2. check result against a leaf hash 3. determine if files contain common keyword

FK( )

FK( )

FK( )

Proofs of Storage

CS2 Protocols

o Standard search o User searches for w

o Server returns documents w/ w

o Relatively straightforward combination of (dynamic) SSE, PoS & SA

o Assisted search o User searches for w

o Server returns summaries of files with w

o User chooses a subset to retrieve

o Server returns subset of files with w

o More complex combination of (dynamic) SSE, PoS, SA + CRHF

o Search can be more efficient (since less data is returned)

CS2 Protocols

o Definitions in ideal/real-world model o Cloud storage w/ standard search

o Cloud storage w/ assisted search

o

o easier to use within larger protocols (i.e., hybrid security models)

o Single definition for all desired properties

o guarantees composition of underlying primitives is OK

o : definitions & proofs are complicated

o Protocols make black-box use of primitives o : modularity -- replace underlying primitives

CS2 Protocols

Experiments

o C++

o Microsoft Cryptography API: Next Generation o RO: SHA256

o PRFs: HMAC-SHA256

o SKE: 128-bit AES/CBC

o Bignum library o Prime fields

o We test only the crypto overhead o No file transfers over network

o No reading from disk

o No indexing costs

Implementation

o Intel Xeon CPU 2.26 GHz o Windows Server 2008

o 4 datasets o Email (enron): 4MB, 11MB, 16MB

o ≈ every byte is a word

o Office docs: 8MB, 100MB, 250MB, 500MB

o Relatively few keywords

o Media (MP3,WMA, JPG,...): 8MB, 100MB, 250MB, 500MB

o Barely any keywords

o Average over 10 executions

Experiments

STORE

o Total o Email (16MB): 2 mins

o Office (500MB) :1.5 mins

o Media (500MB): 30 s

o Email (16GB): 40/15 hours

o Distribution o Verifiability: 2/3 of cost

o SSE: 1/3 cost

o PoS: negl

SEARCH

o Total o Email (16MB): 0.5 secs

o Office (500MB): 0.1 secs

o Media (500MB): 0.025 secs

o Distribution o Client verification: 80%

o Client decryption: 10%

o Server search + proof: 10%

CHECK

o Total o Email (16MB): 12 secs

o Office (500MB): 12 secs

o Media (500MB): 12 secs

o Distribution o Server Proof: 95%

o Client verify: 5%

ADD



o Media (500MB): 1.5 secs

o Distribution o Email (16MB)

o 40% client auth state update

o 40% server auth update

o 20% add token

DELETE



o Media (500MB): negl

o Distribution o 40% server auth update

o 40% client auth update

o 20% server index update

o New Crypto o Dynamic and CKA2-secure SSE with sub-linear search

o Sub-linear verifiable computation for search

o Unbounded dynamic PDP

o New Protocols o Ideal/real-world definitions for secure cloud storage

o Protocol for standard search

o Protocol for assisted search

o Implementation & experiments o First experimental results for sub-linear SSE

o Identified verification as bottleneck

o Office docs seem to be the best workload

Summary

Questions?

CS2: A Searchable Cryptographic Cloud Storage …seny/slides/CS2.pdfCS2: A Searchable Cryptographic Cloud Storage System Seny Kamara (MSR) Charalampos Papamanthou (UC Berkeley) Tom

Documents